Connecting Science to You

Main menu

Search form

You are here

Heartbleed: A Coding Error

By:

I am sure everyone has received an email from several online service providers in the past week asking you to change your password.

Unless you have been living under a rock or completely cut-off from the Internet for the past two weeks (the first option is more likely), chances are you have heard about a bug called “Heartbleed.” Catchy name, right?!

Everyone is freaking out about this bug and words like “catastrophic bug” or “major security vulnerability” are being used to describe it. Even though Heartbleed is an online bug and not an actual one, the terror it is causing is comparable to a viral pandemic.

Well, to understand how this bug is terrorizing millions, let’s begin with the basics. Have you ever noticed the “https” and a lock sign on the top left corner on webpages like Yahoo or Google? Well, this is the sign of a secure communication. Secure communication means that the data flow between the client (you) and the server is encrypted.

“https” stands for Hypertext Transfer Protocol and the lock depicts that the communication is secure. SSL stands for Secure Socket Layer and it is used for secure communication protocols. The current protocol that most websites use to achieve a secure communication is called Open SSL. Every program contains common functions that programmers use within their code. When this code library is accessible to others it is called open source.

Coding errors in a program can cause a computer program to freeze or, in the case of Heartbleed, leak stored information. So how does Heartbleed work? The secure communication protocol containing the bug Heartbleed is called TLS (Transport Layer Security). Every program/protocol has rules. The set of rules by which the TLS protocol operates is described in the RFC2546 document. Based on these rules coders have written the code for Open SSL that is used for secure communications.

The Open SSL protocol has a built-in feature that verifies during the duration of the connection if the communication is still active on both ends.

How does it do this? Every communication has a receiver and a sender. To make sure that the connection is secure and active, one end (let’s say the sender) sends two things to the receiver:

A small piece of data (up-to 64kb in size)

A number indicating the size of the data sent.

When the receiver receives this communication, ideally it is supposed to send back the exact same piece of data to the sender to confirm that the connection is active. But, because of Heartbleed, “the incredibly devious bug in the program”, this doesn’t happen.

Instead, let’s say a 23kb file was sent to the receiver but the number that was sent along with it says 50kb (i.e. the number depicting the size of the data is larger than the actual size of the data). In this case, the receiver sends back two things: the data that it received from the sender (23kb) plus additional data (27kb) extracted from the system memory of the receiver’s computer to match up-to the number (50kb) depicting the size of the sent data.

System memory is temporary and is rewritten every time a computer shuts down. But, login names, passwords, server certificates and keys to secure connections are among the few things that are usually stored in the system memory. The reason why this bug is considered to be so dangerous is because while this system memory data is being transferred, no warning message is displayed. There is no way of knowing if a computer has been targeted.

So what can users do? One precaution that websites are asking their users to take is to change the passwords for their accounts. It is important that you only change your passwords after you have received an email form the website asking you to do so. Because if you changed your password and the website hasn’t yet fixed their code for the secure connection, your computer would still be vulnerable to the bug.

So you might be wondering, what can I do to protect myself from such vulnerabilities in the future? A software called “Tails” might be the solution to this problem. As the website describes it, Tails is “the Amnesic Incognito Live system” designed to preserve privacy and anonymity. This software doesn’t need to be installed on your computer and can be accessed by installing it through a DVD, USB stick or a SD card. Convenient, right?

The only problem is that this software is a work in progress and is vulnerable too. Tails uses a program called Tor. Tor makes a user’s Internet traffic anonymous by routing the data through a network of computers run by volunteers around the world. But it is the same program that Julian Assange used to launch the controversial site Wikileaks.

So if you don’t want your privacy violated, the best option is to not use the Internet because nothing is 100 percent secure.

Follow Us

SiS Initiatives

Scientific research generates new understanding and innovation – but it can also yield unexpected, often breathtaking, beauty. This contest, and its subsequent exhibitions pique curiosity, providing new gateways into research and creative...

Image Galleries on HELIX

These works were created by students in AP Studio Art at Evanston Township High School. Each student selected one of the winners of the 2016 Scientific Images Contest on which to base their work.... Read More

Helix Magazine

is a publication by Science in Society Northwestern University's Office for science outreach and public engagement.